ASP/MTS/ADSI Web Security By Richard Harrison Published by Prentice Hall March 1999; $44.99 ISBN: 0130844659 The sample chapter presented here is Copyright 1999 Richard Harrison

Table of Contents
Acknowledgments ..... i
Introduction ..... xxi
About the Author ..... xxvi
Chapter 1: Security Is a Journey ... Not a Destination
Chapter 2: The Windows NT Security Environment
Chapter 3: Network Security
Chapter 4: IIS Web Server Security
Chapter 5: Secure Channels
Chapter 6: Establishing Trust ... and Protecting the Desktop
Chapter 7: ASP Security Fundamentals
Chapter 8: ASP Application-Level Security
Chapter 9: Creating Our Own Public Key Infrastructure with Microsoft Certificate Server
Chapter 10: Component Security with MTS
Chapter 11: Web Database Security with MTS/ASP
Chapter 12: Directory Services
Chapter 13: The "Alliance" Application
Chapter 14: Membership Server
Chapter 15: Active User Objects
Appendix: Microsoft and the Active Platform
Index
About the CD-ROM

Chapter 1: Security Is a Journey ... Not a Destination

In days gone by, evil highwaymen patrolled the rough dirt tracks of old England. They preyed on wayfarers and their possessions, causing fear throughout the land. As the tracks improved, and hence became more widely traveled, crime escalated too. It was only when the protection of travelers, and their goods could be ensured that these rough tracks were able to evolve into sensible highway providing the essential transportation infrastructure for modern business and human lifestyle.

Today's so-called information superhighways are now going through a similar inaugural phase, with many individuals and organizations rushing to get some sort of online capability. However, only when business has confidence that the system cannot be infiltrated, and that network information can pass unimpeded, will electronic business - on a worldwide scale - intensify.

A few commercial organizations may regard the risks of doing business in cyberspace as unacceptable; but the rapid expansion of this powerful delivery channel means that they make such decisions at their peril. The use of the Internet can no longer be considered an option in business activity, it is a necessity. If you hesitate, then your rivals will gain a considerable headstart in using this potent technology.

The unfortunate (and often ignorant) hype over Internet security doesn't help. The scare stories - often generated by people who will happily hand over a credit card in a store, but will not divulge the same details over the Web - are causing confusion and nervousness in the business community.

As with any commercial activity, the risks of using the Internet should be put into perspective. To perform accurate risk analysis, it is important to understand what levels of protection are available.

In this chapter, we'll preview the key concepts that you should be aware of as you design and develop a security system. As we go through the book, we'll have an opportunity to understand what these concepts mean. In particular we shall look at:

• What is security?
• The issues that need to be addressed to create a trusted system
• How to manage the risks by performing risk assessment
• Risks on the Internet
• Requirements for Web security

So let us start our journey by clarifying what we mean by security. Then we can discuss the need to apply appropriate levels of security for each particular situation.

What Does Security Mean?

Since security is a term that means different things to different people, and has both business and technical connotations, we shall use this first section to clarify what we mean by it. Typically developers, product vendors, organizations, and end users all have different points of view on the subject.

We shall start with a definition of security and then proceed to preview the key concepts that you should be aware of as you design and develop a security system. Many of these initial security topics are applicable to traditional systems as well as to more modern Internet/Intranet environments.

Trusted Systems

From the business perspective, security means implementing a system that can be trusted. This means that the system must be designed and correctly configured to provide:

• Legitimate access to the system
• Data confidentiality
• Protection against malicious codes
• Auditability of user access
• Data integrity
• High levels of availability
• Nonrepudiation of received information

Let us dig round each of these topics just a little and introduce some key terms.

Access Controls

A key task of any security subsystem is to restrict system access to a known group of users. Checking for the legitimate use of a system involves the following steps:

• Identify the user; this process is called authentication
• When the user attempts to perform a particular action (e.g., invoke an executable program), check that the user has been granted the appropriate access rights (or permissions)

Typically, there are various levels of access rights. For example, one user may be allowed to read and modify data, while another may only be allowed to read the data.

This topic will be frequently encountered in this book. In Chapters 2 and 4 we shall discuss Microsoft Windows NT and IIS and see how these products provide core facilities for user authentication and applying permissions. Then, throughout Section Two of the book, we shall see various mechanisms for identifying the user to determine what levels of functionality to provide for the user.

The application of access controls must also include physical access to the computing facilities. Physical security is discussed later in the chapter.

Data Confidentiality

Providing data confidentiality and protection against unauthorized modification can be partially achieved by applying authentication procedures.

We can gain additional confidence about the confidentiality of any data by using software services that provide data encryption. This is the process of applying an algorithm to a message, which scrambles the data it contains. Given only the encoded data, it is very difficult and time-consuming (if not practically impossible) to deduce the original message.

One way to circumvent the access controls is to trick a legitimate user or the system to invoke a malicious piece of code. Such a program could snoop around for interesting data (such as users' passwords) and then send the data electronically to the perpetrator. Sometimes such malicious code can be concealed within a standard program so that when it is invoked, both the normal and the rogue functionality are invoked and the user goes unaware of any security breech. Such a program is called a Trojan Horse (or just a Trojan) and can be very difficult to detect. In Chapter 6 we shall discuss how to establish levels of trust and see a mechanism for detecting the origin of software. In short, the indispensable message is, don't execute software from anyone you don't trust-especially if you are running with administrator's permissions.

One other scenario where your information could easily fall into the wrong hands is when it is traversing over a network and outside the security of your system. In Chapter 5 we shall discuss secure communication channels and see how network traffic can be encrypted (and deciphered) by the networking software.

Virus Protection

A Trojan is one type of malicious code, but there are others. Solutions are required to protect our systems against any software that contains hidden malicious functions and tries to spread onto as many other systems as possible. Such programs, macros, and scripts go under the generic name of viruses.

Many people are unaware that viruses are not restricted to executables. For example, Microsoft Word now has the ability to code macros using Visual Basic, and these can be invoked automatically when the document is opened. The power of Visual Basic means that such macros could easily perform some harmful actions. There have been numerous examples of Word documents with dangerous payloads being e-mailed to unsuspecting recipients. The latest versions of Word display a warning if the document contains macros, but this relies on the user's being aware of the possibilities of enabling the macros for documents from an unknown origin.

Unfortunately, many viruses are spreading more quickly than they can be detected and removed. Viruses generate a wide variety of symptoms, from an annoying repetitive message, to accessing and transmitting confidential data, to complete hard disk wipe-out. Never underestimate what might be lurking within a virus.

Even the most innocuous virus may carry serious consequences. Suppose a business-critical system was infected with a virus that puts up a "joke" message and then holds up further system processing until a user has responded. The impact of such a virus is potentially disastrous.

Virus detection software can be used for continual scanning of the hard disk(s), memory, and network interfaces for known viruses, and to treat the system by removing the malicious code. We shall discuss networking architectures in Chapter 3 and see how to protect internal systems from direct exposure to the Internet using a proxy server. Both proxy servers and e-mail systems should be running virus detection software.

Since new viruses are continually being developed, it is important to regularly update virus detection software to the latest versions to ensure detection of any recent additions to the list of known viruses.

Auditability

Auditability involves the generation and recording of all user actions and accessing of systems resources - and it must include enough information to identify the user who performed any given operation. Such information is often invaluable when trying to analyze the events leading to a security breach.

It is obviously important for these audit trails to be protected from unauthorized access or modification. Alerts can be triggered to warn administrators about security and access problems, which could mean that potential attacks are in progress.

We shall introduce the Windows NT Event Viewer in Chapter 2 and the standard IIS logging facilities in Chapter 4. We shall augment these facilities by using ASP to record user activity to provide an audit trail in Chapter 8.

Auditing works hand in hand with authentication. Once the user has been identified, his or her activity can be recorded and associated with the user identifier. However, it is common on the Internet to allow users to access Web sites anonymously. The activity for all such users will normally be associated with a single "anonymous" user identifier. However, while users may believe they are surfing anonymously, there are a number of other items that sometimes may be used to identify them; examples include cookies and IP address. We shall discuss this further in Chapter 6 when we address privacy.

Data Integrity

To trust our system we must be able to rely on our data. As mentioned above, we must protect the data from rogues and malicious attack ... but we must also be able to protect it from operating failures.

Data integrity relies on software services that prevent files and data stores from being left in a corrupted state should system, network, or application failures occur. For example, if a failure takes place part-way through a series of database updates, the system will automatically roll back the data to the previous consistent state, and the user will be notified that the transaction did not complete successfully.

In Chapters 10 and 11, we shall discuss Microsoft Transaction Server and see how it greatly reduces the complexity of developing reliable database applications across a distributed computing environment.

Availability

With today's business-critical systems, it is vital to achieve high levels of availability. If a system failure occurs, then a backup system should be available. Ideally, the backup system should detect that a problem has occurred and automatically take over as the primary system, leaving the user unaware of such events.

A major problem for important systems is denial-of-service attacks. In such an attack, a rogue user invokes some executable logic that deliberately uses up excessive system resources in order to leave none available for other users. Obviously, such attacks on business-critical systems can be very costly to organizations.

Some famous examples of attacks that have been targeted at Windows NT machines are:

• Ping of Death Attack. Here, the attacker sends a large ICMP packet.

  When the target machine attempts to reassemble the received packet, it overflows its internal buffers and causes the machine to become unstable.

• SYN Flood Attack. The establishment of a TCP/IP connection involves a three-stage handshake, as follows. First, a SYN packet is sent from the client. Second, the server returns a SYN-ACK packet to the client. Finally, the client responds to the SYN-ACK. A SYN Flood attack occurs when the client initiates a huge number of connections but never responds to any of the SYN-ACKs. Consequently, the server's TCP/IP stack runs outs of resources, causing the machine to have undesirable effects.
• RPC Listener Attack. Running the Telnet terminal emulator and connecting to TCP/IP port 135 and sending ten various characters causes the CPU utilization to hit 100%. We shall discuss TCP/IP in Chapter 3. Suffice to say here that port 135 is used for a special purpose and the designers never coded defensively the possibility of erroneous characters being received.
• Teardrop (or Bonk) Attack. In this attack, the TCP/IP header contains false information about the size of the subsequent information, and this causes the TCP/IP layer to become totally confused, resulting again in unpredictable results (including the blue screen of death).
• Large URLs Attack. Here, IIS would crash if it received an HTTP request that contained a URL that was abnormally large (i.e., 8K or more).

Like viruses, denial-of-service attacks can be invoked using a wide range of mechanisms; moreover, it's often difficult to prevent such an attack or to establish who is the instigator. Attacks of this type are evolving, and software vendors are consistently playing catch-up as they build defensive logic into their products to handle each known type of attack.

Attacks like those outlined above are continually being devised and are extremely hard to protect against, except by relying on software vendors to release updates to their products with defensive logic built in that prevents the attack from causing disruption.

Microsoft itself is frequently under attack and is often the first to know when a new type of attack has been contrived. On several occasions, Microsoft developers have had to work hard to release emergency patches. Toward the end of this chapter we give details of the Microsoft Security Advisor Service and the URL where emergency patches are made available. Web site administrators must monitor these facilities to immediately apply any recommendations from Microsoft.

Nonrepudiation

In many situations, it is very important that a message, once sent, cannot be disowned by its sender. Disownership of a message is referred to as repudiation; and nonrepudiation is a very important assurance, particularly in many areas of electronic commerce, where the ability to positively identify the source of a message or document means that the sender cannot deny involvement in creating the message.

For example, let us consider the purchase of some Microsoft shares via an online broker. What if the shares drop in price and the purchaser denies having purchased them? The broker needs the ability to prevent the purchaser from falsely claiming never to have sent the transaction. Similarly, consider the more likely event that the shares went up in price. The purchaser needs a cryptographic receipt that confirms that the broker processed the transaction.

Nonrepudiation is tackled with a branch of cryptography that creates digital signatures and digital certificates. We shall introduce these topics in Chapter 5 when we discuss secure communication channels and in Chapter 8 when we demonstrate ASP and client certificates processing. In Chapter 9 we discuss Microsoft Certificate Server and see how to create a secure infrastructure based on this technology.

Risk Management

As a rule, the first and most fundamental task when implementing security is risk management.

Risk management is not about taking no risks at all. If that were the case, our machines would be disconnected from the Internet and be set to standalone for good. Instead, as the name suggests, it is all about understanding the risks and controlling them.

Web security is not a matter of being implemented or not. Instead, it is a matter of its application to various degrees that are determined by an analysis of a number of factors, such as the perceived risks, the costs involved, and the ease of use.

Risk management can be considered as three tasks:

• Assessing the risks
• Implementation of a security policy
• Continual analysis of the risks involved

Risk Assessment

Risk assessment involves the process of

• deciding what we need to protect and whom we are protecting it from
• analyzing the worst possible security breaches and their resultant costs (in both financial and nontangible forms)

Then, taking costs and usability into account, we can choose a security strategy and determine the optimum levels of security that must be applied. If an organization decides that the worst possible scenario is just too bad to contemplate, then it may be necessary to restrict the business functionality of the system or to impose limits so as to remain within an acceptable band where any loss can be absorbed.

Throughout this book we shall highlight the various issues that need to be considered, discuss the various threats that are lurking on the Internet and demonstrate the various tools in our arsenal so that appropriate Web security can be implemented.

Policy Definition

Stemming from the risk assessment is the task to create a dear and concise security policy document. The policy document defines the rules and guidelines for successful and secure operation of the system, and should include such issues as:

• Different types of users, and their responsibilities
• What access restrictions are implemented for different parts of the system
• Procedures for handling backups and other maintenance operations
• Testing strategies
• Procedures for handling security violation incidents
• Procedures for handling audit logs
• Password policy
• Procedures for guaranteeing privacy of information
• Rules and procedures to regulate software downloads from the Internet
• How to address breaches in security

Writing a policy document is not a trivial matter, and the list of contents given above is by no means exhaustive! It is important that the document be reviewed and made available to all members of staff.

The policy document is a vital tool in ensuring that potential problems are identified before it is too late and is essential for disseminating accurate information in large organizations or those with a high staff turnover rate. The design of any Web system will often assume that this security policy is being implemented, and any deviation may compromise the security of the system.

Ongoing Risk Assessment

Once the system has been implemented, it's important that the risk management continues to ensure that security mechanisms are kept up to date and use the latest technologies that are available.

To illustrate this, consider the following. The cost of high-performance computers is falling rapidly. This means that potential attackers are gaining access to increasingly powerful equipment, enabling them to attempt to break password and encryption mechanisms by trying every possible input value to the algorithms. Such techniques are called brute force methods.

There are always new types of attacks being devised. The solution is to keep UP with the latest threats, technologies, and ideas by regularly monitoring security- related newsgroups and Web sites, by exploiting the latest powerful processors, and by using higher levels of encryption.

Perfect Security

Todays business demands force most software vendors to bring their software to market as soon as possible, and this often means that companies make compromises with their testing strategies. Any company that claims its products are unbreakable is suffering from an overdose of marketing hype. Vendors cannot guarantee that their software is bug-free; consequently, it is fair to say that no single security measure can guarantee a 100% secure system.

These days, security holes are frequently detected, highlighted, and discussed on Internet newsgroups, and then vendors quickly release emergency patches.

The brute force attack mentioned above highlights that it's not only bug- ridden software that can be broken through. Weak security mechanisms, while useful, cannot be relied upon in isolation.

It's possible to reduce the risks of being on the Internet by combining multiple security measures. If one security hole is found and breached, then the other measures are in place to protect the system. Obviously, the more security measures that are in place, the greater the reduction of risk of any complete security breach. In practice, when considering the appropriate number of security levels, it's necessary to balance costs (for items like software, hardware, and consultancy) and ease of use against potential risk exposure.

For example, very complex encryption algorithms could be implemented to ensure the privacy of data. However, such algorithms are likely to be very CPU intensive, so their cost must be reconciled with the cost of whatever additional hardware is required.

Furthermore, the application of excessive security can seriously affect a user's productivity. In some cases, a user will be tempted to cut corners, compromising security in the process. Consider, for instance, a password policy that forces a password to include both uppercase and lowercase characters, with at least one number and at least one nonalphanumeric character. A user who finds such a password difficult to remember may be tempted to write it down on paper. Such information is easily disclosed if the paper falls into the wrong hands.

Physical Security

Of course, if we are operating a business-critical system, then we will need to consider the physical security of the computer hardware. These considerations may seem obvious, but there are aspects of physical security that we must build into our plan before we build our system.

Ideally, our hardware must be located in a dedicated room, designed for delicate computer equipment. We need to consider temperature, humidity, dust extraction, etc. The computer room should have restricted and monitored access limited to the personnel who are needed to administer the system. Food and drink must be banned from the room; if someone spills a cup of coffee into the Web Server, and the staff loses access to data or applications as a result, then it will cost the organization greatly. This may seem an obvious point, but the service department of any large company has tall tales to tell about "liquid contamination"!

We will need to make sure that power switches and reset buttons are positioned so that they can't be activated accidentally. I once leaned on a big red button and immediately killed all of the machines in the machine room! We should consider using an uninterruptible power supply (UPS) and perhaps a backup generator, so that the system continues to run in the event of a power failure. Power conditioners should be used to prevent surges that can harm the delicate equipment.

In some circumstances, cabling may have to be passed through insecure areas. In this case it's worth considering fiber optic links as a way of avoiding the various techniques for tapping signals emitted from a twisted pair cable.

High Availability/Fault Tolerance

Highly available systems can be achieved using the latest clustering software, which allows two or more machines to be interconnected and to work as a single unit. In the simplest case, one machine is identified as the primary processing system, and the second acts at a hot standby system that automatically takes over (without user knowledge) if the first system fails. More powerful clustered installations allow multiple machines to cooperate and dynamically load balance the workload over the available resources. If one system fails, the load is rebalanced over the remaining machines.

Fault-tolerant disk systems, called Redundant Array of Inexpensive Disks (RAID), can be used to protect data if a single point of failure occurs. A RAID is manufactured by joining several disk units together and spreading the data, with redundancy, over the various units. Distributing the data over multiple disk spindles also increases disk performance, because data can be read from several points simultaneously. Various types of RAID exist, designated from 0 to 5: these types define characteristics that affect cost, performance, data redundancy, and ultimately suitability for a particular task.

Backing Up Your System

In order to protect the system against data corruption due to equipment failures and either accidental or malicious user actions, it's worth making regular backup copies of your data. The backed-up data should be kept offsite, to avoid data loss in the case of a major disaster at your premises (such as a malicious security breach). Of course, since backup files Will contain significant company information, they must be safeguarded to ensure that they don't fall into the wrong hands.

Security and the Internet

So far we have introduced a number of key security concepts that are prerequisites for success. By implementing the appropriate security measures, we can defend our systems from both internal and external perils. Now, let us have a closer look at the sorts of threats that can arise from the Internet.

In this section, we will take a high-level view of how security affects Web architectures. We will assume that you already have a reasonable understanding of basic Internet technologies and concepts.

Threats on the Internet

The security needs of Internet-based systems are very different from those of traditional networking. For example, the Internet offers no centralized infrastructure to provide responsibility for network security.

The initial conception and implementation of the Internet was to provide openness and robustness, and to ensure availability of the network for all computers at all times. Even though the Internet was originally a network built for national defense, the security of confidential information was considered secondary because only trusted users had access to the network.

The Internet is on a huge global scale, with connected systems open to a user base of potentially many millions. Only a small minority of Internet users are interested in system security weaknesses (and probably only a small percentage of them have developed the capability to exploit such weaknesses). However, the huge volume of users means that the number of determined, skilled attackers out there is too significant to be ignored.

Talk of any newly found vulnerability travels quickly across the Internet. What may begin as an isolated finding can lead to massive worldwide problems if news of the vulnerability spreads rapidly - and it often does!

External Threats

In order for a business to access the full potential of the Internet and its huge user base, it must open its internal network, and provide a shop window to promote its affairs. Most visitors will be happy simply to look through this window, but there will always be a few Peeping Toms who will attempt to see things never intended for public scrutiny. Worse still, a small number of resourceful people will go one step further, by attempting to break the window, climb through, and (undoubtedly) cause concern and damage.

The bandits of today's superhighway can be classified into three groups:

• Charlatans: Those who impersonate an existing person or organization, or take on a false identity. For example, suppose that you're purchasing a book from a Web site, how can you be confident that the vendor is really a legitimate business? Can you be sure that you haven't sent your credit details to some impostor? Alternatively, suppose that you are the book vendor, how can you be confident that you're dealing with a legitimate customer? Impersonators aren't just a financial danger; they may also make harmful statements that damage your reputation.
• Spies: Those who access confidential information. For example, consider the transfer of your business plans via electronic mail. How can you be confident that these details are not being intercepted? Could they be passed on to your direct competitors?
• Vandals: Those who tamper with data. For example, consider the payment of your electric bill via an Internet home banking service. How can you be confident that your instructions will not be interfered with Could the payment transaction be illegally redirected to someone else' account?

Of course, some loathsome rogues will be resident in more than one of these three groups. As Internet technology expands, the unscrupulous are able to find new and ingenious mechanisms for their attacks. Unfortunately, the severe damage they can cause is often not discovered until it is too late.

The recent media hype about network security has referred to such individuals as hackers. This is a misnomer. A hacker is someone with expertise in exploiting holes in network security but never performs any malicious actions. A bandit who causes malicious actions is a cracker.

If Internet communications are to become a key component in the IT strategy of your organization, then you will need a set of technologies and standards to outmaneuver these bandits. The good news, as we shall see throughout this book, is that the protection mechanisms do exist.

Internal Threats

While the Internet is perceived to be a hostile place with thousands gunning for your system, most organizations believe that the biggest threat is internal. Statistical studies suggest that over 85% of computer crimes are carried out by individuals who are authorized to use the systems involved.

The people to watch inside your organization are:

• Administrators: Because responsibility for the system's security stops with the administrator, he is frequently the weakest link in security management. The security technologies that we shall discuss in this book are not easily mastered; they will only work if they have been configured correctly and all security holes are filled. If not, there is always one smart person who will find a way to get through.
• Village Idiots: Actions that lead to serious damage and severe consequences are not always malicious. For example, deleting a database will have the same impact whether it was deleted accidentally or deliberately. Appropriate security can ensure that inexperienced users do not perform unintentional operations.
• Traitors: It is quite possible that the spies and vandals we have already discussed are disgruntled staff members or associated with partner organizations that have been granted privileged access into your systems.

The Web Server

Early Web servers were designed purely to publish information, and as we have already suggested, security was often regarded as secondary. Nowadays, Web technology is being used to share sensitive key information and participate in high- value electronic commerce transactions. As a result, it is important to make certain that there are no security holes that can be exploited.

To achieve a secure solution, it is vital that Web applications run on a Web server that is tightly integrated with a secure networking operating system.

The security subsystem that must provide:

• Authentication of each user's identity
• Restrictions on accessing system resources (such as disk files, processes, etc.) to only those users who have permission to perform the action
• Auditing of users' actions
• A rich set of administrative tools

Furthermore, the operating system must be well proven and provide a robust, scaleable, and high-performance foundation.

Only with such an operating subsystem can we have the confidence to build a security subsystem that controls malicious hackers and reckless employees and ensures availability, confidentiality, and integrity.

The Network

The phenomenal growth of Web technologies has led to the general adoption of a family of protocols known as the Internet Protocol Suite (or more commonly as TCP/IP). All major software and hardware vendors now provide support for TCP/IP, and it has quickly become the de facto standard for networking across heterogeneous computing environments.

By putting a machine on a TCP/IP network, you are providing a channel by which other machines can communicate with systems services and resources on your machine. Likewise, your machine can use the same channel to interface with other systems.

Unfortunately, the same channel provides open access to your machine, for both well-founded and malicious uses. Furthermore, the information that passes over the network can easily be tapped, and captured for potentially unscrupulous use.

The wealth of information on the Internet means that giving Internet access to the desktops in your organization provides a great productivity tool. The downside, apart from the waste of working hours by employees surfing for private entertainment, is the danger generated by their bringing executables from unknown resources into your organization, which could include malicious code. We will return to this point in a moment.

The requirements for secure Web networking include:

• Protocol filters to:
  • prevent break-ins to any private areas of the Web system or other machines in the corporate enterprise
  • control internal users accessing the Internet
• Secure point-to-point communication channels ensuring:
  • encrypted data channels
  • message tampering detection
  • client and server authentication

We shall return to discussing TCP/IP networking and the associated security risks later in Chapter 3; we shall also see how to implement the filters that are listed in the above requirements. Then, in Chapter 5, we shall look at secure communication channels that address the remainder of the requirements listed above.

The Users Desktop

The proliferation of software executables that can easily be downloaded from the Web poses huge risks for most Web users. When software is downloaded from unauthorized sources, viruses with malicious code may be introduced, perhaps hidden within standard software, that can cause a wide variety of unwanted effects.

One commonly recited example is that of a Web site that offered free pornographic photographs. As part of the registration process, the user was required to download a special program for viewing the graphic files. Unbeknown to the user, the downloaded program also adjusted the user's dial-up networking properties so that all future calls to the user's ISP instead accessed the Internet via a long-distance premium charge call to Moldova. Such activity was unnoticed by users until their telephone bills arrived, and the caper was very profitable for the porn suppliers before it was tracked down.

In the next chapter we will see another dangerous example of this kind of Trojan. In this example, an administrator invokes a program from an unknown source, activating a hidden piece of logic within the program that emails the passwords database to a hacker-and all without the knowledge of the administrator.

Typically, when we purchase software in a shop, we know who published it (the name is on the box) and we can be sure that it has not been tampered with since it left the software publisher (if the box is sealed). While there is no absolute certainty that the software is free from viruses, we generally trust it. The same set of assurances is needed for downloaded software.

The requirements for the protection of a user's desktop are an electronic form of shrink-wrapping that provides, for any downloaded software:

• the name of the software publisher
• assurance that the software has not been tampered with since being published

Only if we fully trust the software publisher should we allow the software to be installed. We shall investigate trust and protecting the desktop in Chapter 6.

Additionally, the desktop can be protected from known viruses by using virus detection software on a proxy server. This is discussed in Chapter 3.

Corporate Enterprise Systems

It is often necessary to integrate a new Web solution with existing corporate systems; examples include mainframes (legacy systems), database servers, e-mail systems, and so on. Doing so enables the Web system to become a powerful customer-facing system for the delivery of existing and future business services. This approach enables the organization to modernize its infrastructure yet protect its typically huge investments in IT systems.

Every organization will have its own unique hodgepodge of different technologies, operating environments, and applications.

Some of the mechanisms that can be used to provide a seamless integration to external systems include:

• using a software framework that facilitates the interoperability of soft ware components; an example is COM (or ActiveX), discussed in Appendix A
• using the Winsock 1.1 API; this provides a high-level, easy-to-use interface for writing applications that require TCP/IP communication; it also supports other protocols
• accessing a remote database directly using an interface like ODBC, OLEDB, or an API provided by a native client database driver
• invoking remote functions directly using DCE Remote Procedure Call (RPC)
• using LDAP protocols to interface with Directory Services, e-mail systems, and X500 compliant datastores
• implementing screen-scraping techniques whereby interface software becomes a virtual user; this involves: navigating the screens, entering data, and parsing the response screens to extract relevant data
• using a message-queuing product for transactions where delivery must be assured but they do not have to complete in real time-an example of this is Microsoft Message Queue Server
• using CICS API to invoke a transaction in IBM's CICS (Transaction Processing) Environment
• using middleware - a software abstraction layer that handles low-level protocol complexities and provides a simple API

Each interface to an external system will bring its own set of security requirements and problems. Different systems will require the application of different levels of security. We shall investigate interfacing ASP to different interfaces throughout Section Two of the book.

Microsoft Internet Security

In this book we shall focus on the comprehensive set of Web technologies from Microsoft that are enabling companies to build secure business applications for deployment over the Internet. Microsoft joined the Internet game relatively late but has rapidly gained momentum. Since 1996 it has released an incredible range of innovative Internet products, all embracing various industry standards. These products provide users with rich and compelling Internet experiences, and organizations with the mechanisms to develop business-critical Internet solutions.

A complete overview of Microsoft and its Internet products and strategies is included in Appendix A. The discussion in the main text is limited to security issues. We shall see throughout this book that Microsoft's security strategy is based around three key objectives:

• Security must be tightly integrated into operating systems and services
• Security must be comprehensive and contain no holes
• Security must be easy to use and administer

The foundation of Microsoft's Web strategy is its Windows NT operating systems and its commercial Web server, Internet Information Server (IIS). At the time of writing, IIS4 is supplied as part of the Windows NT 4.0 Option Pack.

Security was a paramount concern when Microsoft developed its vision of Windows NT for the enterprise, so security features were designed into the bedrock of the operating system. This enables any organization to layer its security options in an appropriate combination specifically suited to combat the perceived risk it faces. We shall discuss Windows NT Security in Chapter 2.

IIS was designed for ease of use, scaleability, portability, security, and extensibility, and is widely acknowledged to be superior to any of the alternatives. IIS version 4.0 is Microsoft's latest standards-based Web application server for Windows NT Server; it provides a powerful environment for the next generation of line-of-business applications. Because IIS and Windows NT are tightly integrated, they share the same security features and administration tools. We shall discuss IIS security in Chapter 4.

The capabilities of IIS are expanded with Microsoft Site Server, which is packaged as part of the BackOffice family of products. This provides a comprehensive set of components and management tools that makes it possible to reduce development time and costs when building and deploying secure lines of business Web sites. The membership components of Site Server provide additional user authentication mechanisms, as win be demonstrated in Chapter 14.

The Microsoft Internet Security Framework (ISF), a policy statement released at the end of 1996, explained Microsoft's strategy to support a set of security technologies designed for online communications and electronic business. Since this document was released, Microsoft has delivered an extensive public-key security architecture for the Windows platform based on industry standards. It includes certificates services, secure communication channels, payment protocols and cryptographic support. We shall discuss cryptography and digital certificates in Chapter 5, and show how to use them for accountability in Chapter 6. Then, in Chapter 9, we shall see how to use Microsoft Certificate Server to create a security infrastructure based on digital certificates.

Holes in Microsoft Security

Security is continually evolving, and problems with existing software are frequently encountered. Microsoft, like all other major software vendors, is often highlighted in the trade press and Internet newsgroups when security problems with its products are found.

One great site that monitors discoveries of new security flaws in Windows NT and associated products (not necessarily Microsoft's) can be found at

http://www.ntsecurity.net/

This site provides information that makes it possible to keep up to date on known security holes in Windows NT and provides advice on places to go for current information and updates.

Take a look and see what new discoveries have been posted in the last few days.

This site also provides details for subscribing to their NT Security Digest and NT Security Alert List.

The NT Security Digest consolidates important security information obtained from many related sources.

When the guys at this site learn of a new and important NT security issue, they notify all list members within the hour.

And the service is free!!

Once a security hole has been exposed, an educated administrator can patch it.

Microsoft's Support for Security Issues

Microsoft recognizes the importance of security and wants to ensure that everybody is comfortable using its products in environments where security is paramount. To this end it has implemented an area on its Web site called the Microsoft Security Advisor.

SECURITY ADVISOR

The Security Advisor Web site provides a forum for the latest security issues, press releases, and details/advice on any recently discovered security flaws.

The URL of the Security Advisor is:

http://www.microsoft.com/security

E-mail on security matters can be sent to the Security Advisor at secure@ microsoft.com

Service Packs/Hot Fixes

Microsoft maintains a large online database of fixes for its operating systems. These are available either as service packs (SP) or as hot fixes. Service packs are substantial operating system upgrades which apply numerous bug fixes that have undergone considerable regression testing. Hot fixes are individual bug fixes that are released between service packs; they are often released as emergency bug fixes and thus do not undergo the same stringent testing procedures that a service pack undergoes. Since service packs are cumulative, SP4, for example, will include all the latest fixes, as well as all earlier fixes from SP1, SP2 and SP3.

The latest service pack is always the one to be applied. Hot fixes should be carefully considered and only applied when the shortcoming has a serious impact or poses a major security risk. Service packs and hot fixes are available at

ftp://ftp.microsoft.com,

Summary

In this opening chapter we have discussed the basic concepts of security and have seen what to expect in the remainder of the book. Security is a huge topic and has many facets. Good security is achieved by formulating sound policies, employing appropriate security technologies, consistently monitoring all practices, and in general being aware of trends in the security arena.

The key points learned in this chapter are:

• The security needs of Internet-based systems are very different from traditional networking.
• Security is a huge, wide-reaching topic embracing such concepts as user authentication, access controls, confidentiality of data, and protection against malicious code.
• Security means implementing a system that can be trusted to provide availability, confidentiality, and integrity.
• The amount of technology to be applied to the problem is determined by balancing the business risk against cost and ease of use.
• Always apply the latest service packs and monitor the available hot

There are many loathsome bandits lurking on the Internet (or perhaps your Extranet/Intranet) with the capability of exploiting any security weaknesses in your Web systems.

• The site administrator must be fully security-aware and have a full understanding of the security arsenal that is available. Acquiring advanced, security tools is a waste of time if they are not properly implemented.
• The physical security of systems must not be ignored. Finally, we must remember that security is continually evolving.
• New problems with existing software are frequently encountered.
• The bandits are getting smarter.
• Software and hardware technologies are rapidly getting more powerful.

So always keep in mind that:

Security is a journey, not a destination

Security is not something that is turned on and then forgotten. It entails the ongoing task of risk assessment to monitor the continual changes in order to keep one step ahead of the bandits.

We shall now take our next steps by investigating the security aspects of Windows NT.